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ABSTRACT 

This  document  defines  the  Boeing  Vertol  System  Safety  Program  Plan 
(SSPP)  for  the  "Externally  Mounted,  Automatically  Expelled/ 
Inflated  Multiplace  Life  Raft  for  Helicopters",  (Automated  Life 
Raft)  (ALR)  for  the  H-46  Automated  Life  Raft  Program".  Emphasis 
is  placed  on  the  System  Safety  Program  contribution  to  sub- 
stantiation of  the  airworthiness  characteristics  of  the  "Auto- 
mated Life  Raft  Equipped  Aircraft  Configuration" . This  Plan 
provides  for  the  evaluation  of  system  hazards  and  implementation 
of  the  required  hazard  controls. 


KEY  WORDS 

Failsafe  Design 

Hazard  Analysis 

Hazard  Identification 

Hazard  Control 

Airworthiness 

System  Safety  Program 

Automated  Life  Raft  (ALR) 

System  Safety  Program  Plan 
Airworthiness  Qualification 
Hazard  Classification 
Correction  Action 
Human  Error 
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3.1  INTERFACES  - 

Probability  of  equipment  malfunctions  in  support  of  hazards 
analyses . 

a.  Maintainability  Engineering 

Identification  of  maintenance  tasks  in  support  of  hazards 
analyses . 

b.  Quality  Assurance 

Identification  of  hazard  control  procedures  in  support  of 
making  safety  assessments. 

c.  Customer  Technical  Personnel 

Formal  and  informal  system  safety  reviews  between  contractor 
and  customer  safety  personnel. 

3.2  DESIGN  SUPPORT 

System  safety  design  support  is  maintained  through  the  imple- 
mentation of  a series  of  design  reviews,  trade  reviews,  and 
the  establishment  of  a procedure  for  submitting  safety  recom- 
mendations/corrective actions. 

3 . 3 SUBCONTRACTOR  CONTROL 

Safety  control  of  products  designed  by  Boeing  and  manufactured 
by  others  is  exerted  by  normal  quality  control  and  inspection 
techniques.  These  techniques  ensure  that  the  safety  designed 
into  the  product  is  not  degraded  by  the  subcontractor. 

Safety  control  of  products  designed,  fabricated,  and  tested  by 
the  subcontractor/supplier  is  exerted  by  the  identification  of 
design  safety  requirements  in  procurement  specifications  and 
specification  control  drawings.  Subcontractors/suppliers  are 
required  to  identify  potential  hazards  that  may  exist  in  their 
design  and  describe  corrective  methods  used  to  eliminate  or  con- 
trol these  hazards.  Safety  devices,  warning  systems,  or  compen- 
sating avoidance  procedures  will  be  described  in  those  cases 
where  the  hazards  cannot  be  eliminated.  Subcontractors/supplier 
are  required  to: 

a.  Submit  hazards  analyses  - These  analyses  must  be  approved 
by  Boeing  Vertol  prior  to  design  finalization. 
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b.  Submit  test  plans  which  include  provision  for  verification 
of  safety  requirements. 

c.  Participate  in  design  reviews,  as  required  by  Boeing 
Vertol,  to  implement  corrective  action  to  remove  or 
control  potential  hazards. 

3.4  SYSTEM  SAFETY  PROGRAM  ACTIVITIES 

3.4.1  Requirements  and  Criteria 

The  primary  task  of  establishing  safety  requirements  and  criteria 
is  accomplished  by  (1)  performing  hazards  analysis  and  (2) 
utilizing  experience  gained  from  other  programs  using  similar 
systems  and  from  the  following  experience  retention  sources: 

a.  Military  Specifications 

b.  Contractual  Documents 

c.  System  Safety  Design  Handbook  (AFSC  DHl-6) 

d.  Vertol  Design  Instruction  Manual  (VDIM) 

e.  Mishap/Accident  Analyses 

These  experience  generated  criteria  are  utilized  by  Preliminary 
Design  Review  participants  and  for  inputs  to  design  specifica- 
tions . 

3.4.2  Hazard  Analyses 

Hazard  analyses  will  be  performed  to  identify  the  hazardous 
elements  or  conditions  in  the  air  vehicle  system  and  provide 
for  their  elimination  or  control.  The  following  types  of 
hazard  analyses  will  be  performed. 

3.4.2. 1 Subsystem  Hazard  Analyses  (SSHA) 

Subsystem  Hazard  Analyses  will  be  performed  to  the  level  neces- 
sary to  identify  hazards  for  components  and  equipments  whose 
performance  degradation  or  functional  failure  could  result  in 
hazardous  conditions.  The  SSHA  uses  the  top-down  approach. 

This  approach  is  compatible  with  any  level  of  design  effort. 
Subsystem  analysis  starts  when  its  functions  are  defined  and 
detail  functions  are  outlined.  The  following  subsystem  will 
be  analyzed: 

Externally  Mounted,  Automatically  Expelled/inflated,  Multiplace 
Life  Rafts  For  Helicopters 

a.  Life  Rafts 

b.  Cool  Gas  Generators,  Solid  Propellent  Generator 
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c.  Life  Raft  Encapsulation 

d.  Harness  and  Retention  System 

e.  Electrical  Activation  System 

3. 4. 2. 2 System  Hazard  Analysis  (SHA) 

Subsystem,  Operational  and  Maintenance  Hazard  Analyses  are 
generally  limited  in  scope  and  may  not  bridge  all  the  inter- 
faces between  subsystems,  especially  when  redundancy  is  spread 
across  two  or  more  subsystems.  In  this  respect  the  SHA  is  per- 
formed on  the  total  system.  The  technique  for  performing  the 
SHA  considers  the  common  causal  factors  as  well  as  the  spatial 
relationships  between  parts  and  subsystem. 

3. 4. 2. 3 Operating  Hazard  Analysis  (OHA) 

The  Operating  Hazard  Analysis  (OHA)  will  be  performed  to 
identify  hazardous  conditions  related  to  the  performance  of 
tasks  involving  aircraft  use.  Control  of  operating  hazards  is 
generally  attained  by  implementing  appropriate  procedures, 
instructions,  and  training.  A flight  profile  will  be  defined 
(including  operation  in  the  intended  environment  of  the  H-46 
Helicopter ) from  which  the  operating  tasks  will  be  derived.  This 
analysis  will  be  completed  prior  to  first  operations  of  the 
demonstration  model. 

3. 4. 2. 4 Maintenance  Hazard  Analysis  (MHA) 

The  Maintenance  Hazard  Analysis  (MHA)  is  performed  to  identify 
hazards  to  the  system  which  could  result  from  faulty  mainte- 
nance and  to  identify  hazards  which  could  cause  injury  to 
maintenance  personnel.  The  MKA  is  conducted  in  conjunction 
with  the  maintenance  tasks  as  defined  by  Maintainability 
Engineering.  Control  of  these  hazards  may  be  in  the  form  of 
procedures,  cautions,  training,  or  design  changes. 

3. 4. 2. 5 The  above  analyses  will  consider  the  interfaces  with 
GFE  equipment,  but  not  include  detail  analysis  of  GFE. 

3. 4. 2. 6 The  above  analyses  will  use,  as  practical,  the  data  in 
the  "Automated  Life  Raft  Study"  that  was  prepared  under  Contract 
N62269-75-C-0454. 
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3.4.3  Design  Re views /Trade  Studies 

The  major  design  review  effort  by  the  safety  engineer  occurs 
"over  the  drawing  boards”  and  in  informal  design  reviews. 
Conclusions  reached  during  hazards  analyses  and  experience 
retention  analyses  are  made  available  to  design  review  parti- 
cipants. The  safety  engineer  also  participates  in  design  trade 
studies . 

3.4.4  Corrective  Action  Procedure 

The  corrective  action  procedure  for  identified  safety  problems 
is  described  below. 

3.4.4. 1 Hazard  Categorization  and  Evaluation 

The  Hazard  Categorization  and  Evaluation  Cycle  is  illustrated 
by  Figure  2.  Hazards  will  be  classified  on  the  basis  of  worse 
potential  consequences  which  could  ultimately  occur  if  the 
hazard  is  not  eliminated. 

These  classifications  will  never  change  unless  the  original 
predicted  consequence  requires  revision  or  the  classification 
selected  is  in  error.  The  hazard  cause  factors  will  include 
personnel  error,  environmental  conditions,  system  design 
characteristics,  procedural  deficiencies,  and  material  failure 
or  malfunction.  Classification  of  the  consequence  or  effect 
of  hazards  will  be  expressed  in  terms  of  the  severity  of  their 
effects  on  personnel  and  the  material. 

a.  Class  I - Negligible 

1.  The  consequences  of  the  condition  will  not  result  in 
personal  injury  or  system  damage. 

b.  Class  II  - Marginal 

1.  The  consequences  of  the  condition  can  be  counteracted  or 
controlled  without  injury  to  personnel  or  major  system 
damage. 

c.  Class  III  - Critical 

1.  The  consequences  of  the  condition  will  cause  personnel 
injury  or  major  system  damage,  or  will  require  immediate 
corrective  action  for  personnel  or  system  survival. 

d.  Class  IV  - Catastrophic 

1.  The  consequences  of  the  condition  will  cause  death  or 
severe  injury  of  personnel  or  system  loss. 
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FIGURE  2 * Hancd  Categorization  and  Evaluation  Cycle 
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e.  Class  V - Undetermined 

1.  The  consequences  of  the  condition  cannot  be  determined  at 
this  time.  Additional  technology,  analysis,  or  test  are 
required  to  substantiate  the  effects  on  the  system. 

A safety  assessment  will  be  made  for  those  hazards  which  cannot 
be  eliminated.  The  assessment  shall  be  indicated  as  follows: 

"A"  - Adequate  - The  occurrence  of  the  hazard  is  considered  to 
be  unlikely  with  the  controls  provided. 

"B"  - Not  Adequate  - The  occurrence  of  the  hazard  is  considered 
to  be  likely,  and  controls  are  not  considered  sufficient  or  do 
not  exist. 

Hazards  that  have  been  designated  with  a safety  assessment  of 
"Not  Adequate"  or  "Undetermined"  will  be  documented  on  a Safety 
Problem  Action  Report  (SPAR)  as  described  in  Paragraph  3. 4. 4. 2. 

The  above  process  effectively  prioritizes  identified  hazards  and 
directs  attention  to  those  areas  requiring  further  investigation 
and  management  decision  for  corrective  action.  Resources  required 
to  establish  corrective  action  will  be  identified  when  the 
program  costs,  schedule,  or  system  performance  are  significantly 
affected. 

3.4.4. 2 Action  on  Identified  Hazards 

A closed  loop  procedure  will  be  used  for  tracking  action  status 
of  identified  safety  problems  (hazardous  conditions).  Sources 
of  problem  identification  include  hazard  analyses,  design  reviews, 
test  experience,  and  mishap  data  available  from  the  Armed 
Services  Safety  Agencies. 

Safety  problems  will  be  documented  on  a Safety  Problem  Action 
Report  (SPAR)  Form  (see  Figure  3).  SPAR'S  will  be  closed  out 
after  implementation  of  the  required  corrective  action  has  been 
verified.  Each  SPAR  will  be  chronologically  numbered  and  cross- 
referenced  to  appropriate  subject  categories  selected  from  the 
Work  Breakdown  Structure  (WBS) . 

The  System  Safety  Engineer  will  identify  the  problem  with 
appropriate  recommendations  and  coordinate  problem  investigation 
with  the  cognizant  design,  technology  and/or  test  engineer. 

The  required  action  is  recorded  and  the  Safety  Engineer  and 
the  Design,  Technology  or  Test  Engineer  sign  the  SPAR  as  approval 
of  the  corrective  action. 

Status  of  SPAR's  will  be  reported  in  the  Safety  Statement. 
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3.4.5  Program  Review 


System  Safety  Program  Informal  Reviews  will  be  scheduled  as 
required.  The  Contractor  will  be  prepared  to  discuss  or  answer 
questions  relative  to  safety  activities  as  defined  by  Safety 
Statements  or  other  safety  related  agenda  items  as  approved  by 
the  Navy  Program  Manager. 

3.4.6  Test  Requirements  and  Reviews 

3.4.6. 1 Test  Plans 

Safety  Engineers  will  review  test  plans  and  recommend  safety 
requirements  as  appropriate.  These  requirements  will  be 
generated  from  hazard  analyses  and/or  experience  retention  data. 
Test  results  will  be  reviewed  for  compliance  with  the  test 
requirements . 

3. 4. 6. 2 Failure/Malfunction  Reporting 

Equipment  failure/malfunctions  for  all  test  phases  (bench  testing, j 
demonstration,  test  rig,  flight  testing)  will  be  reported  to 
Safety  Engineering  so  that  these  "potential  hazards"  may  be 
included  in  hazard  analyses  and  their  effect  determined  on  air- 
craft operation.  Test  Engineering  has  the  responsibility  to 
report  such  failures/malfunctions  to  the  Safety  Engineering 
Group. 

3. 4. 6. 3 Flight  Test  Accident/incidents 

The  procedure  for  investigation  and  reporting  an  aircraft 
accident/incident  will  follow  the  guidelines  of  Boeing  Vertol 
Operating  Procedure  700.49,  "Aircraft  Accident  or  Incident 
Investigation. " 

3.4.7  Safety  Statements 

Safety  Statements  will  be  prepared  in  accordance  with  the  format 
shown  by  Figure  4,  and  will  be  submitted  as  required. 

4.  SYSTEM  SAFETY  ACTIVITIES  AND  MILESTONE  SCHEDULE 

System  safety  activities  and  milestone  schedules  will  be  in 
accordance  with  Figure  5. 
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HELICOPTER  FLOTATION  SYSTEM  SAFETY  STATEMENT 
Table  of  Contents 

List  of  each  subsystem  and  its  page  number. 

Introduction 

Summarize  all  actions  completed  or  initiated  during  reporting 
period.  Provide  a narrative  on  status  of  overall  safety 
program. 

Subsystems  , 

List  each  subsystem  separately  and  present  the  following  for 
each  subsystem. 

a.  Description  - Describe  the  subsystem,  identifying  the 
components  within  the  subsystem  and  their  sequence  of 
operation.  Schematic  diagrams  shall  be  included  for  each 
major  subsystem  to  aid  in  the  understanding  of  the 
relationships  between  components.  The  interfaces  of  the 
subsystem  with  other  subsystems  shall  be  included  in  the 
discussion  and  schematics. 

b.  Hazards  - Any  potential  hazards  identified  during  the 
particular  reporting  period  for  the  Safety  Statement  or 
any  hazards  identified,  but  not  eliminated  or  controlled 
in  previous  Safety  Statements  shall  be  presented  in  this 
section.  The  hazards  will  be  referenced  by  their  tracking 
system  designation.  Possible  alternatives  of  corrective 
action  will  be  presented  for  all  identified  hazards. 

The  Contractor  shall  select  the  most  feasible  form  of 
corrective  action  as  early  in  the  design  phase  as 
possible  and  present  his  reasons  for  the  selection  of 
this  particular  alternative. 

Failure  Mode  Analysis 

Summarize  any  quantitative/qualitative  analyses,  and  present 
any  test  results  performed  to  support  information  contained 
in  the  Safety  Statement. 

References 

List  all  pertinent  references. 


FIGURE  4 - General  Format  for  Safety  Statement 
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5.  DOCUMENTATION 

The  SSPP  shall  be  updated,  as  required. 

The  contractor  will  submit  Safety  Statements  to  the  procuring 
agency,  as  required. 

All  other  system  safety  data  will  be  available  in  the  Contractor ’-s 
file  for  government  review. 

6.  AIRWORTHINESS  SUBSTANTIATION 

The  following  activities  of  the  "Automated  Life  Raft" 

SSPP  will  form  the  system  safety  portion  of  the  Airworthiness 
Qualification  Program. 

a.  Review  of  hazard  analyses. 

b.  Safety  Problem  Action  Report  (SPAR)  status. 

c.  Compliance  with  model  specification  and  contract  safety 
requirements . 

d.  Review  of  test  and  demonstration  plans. 

e.  Review  of  test  results. 

f.  Review  of  interim  safety  statements. 

7.  U.S.  NAVY  EVALUATION  TESTS 

The  system  safety  activities  in  support  of  U.S.  Navy  Evaluation 
Tests  will  include: 

a.  Update  of  the  final  safety  statement  submitted  to  the 

government  30  days  after  completion  of  Demonstration  Model 
Testing . 
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8.  SAFETY  ACTIVITIES 

8.1  SAFETY  DATA 

The  safety  data  provided  by  the  Naval  Aviation  Safety  Center, 
Norfolk,  VA  was  utilized  in  the  preparation  and  evaluation  of 
the  safety  analyses. 

8.2  TRAINING 

The  Contractor  shall  develop  and  conduct  an  in-house  training 
program  to  qualify  and  develop  capabilities  of  System  Safety 
organization  personnel  in  the  hazard  analyses  techniques  and 
other  tasks  specified  in  the  SSPP.  System  Safety  shall  review 
instruction  plans  and  materials  to  be  used  in  the  training  of 
flight,  maintenance  and  test  personnel  for  inclusion  of  appro- 
priate safety  information. 

8.3  AUDIT  PROGRAM 

An  audit  shall  be  accomplished  to  verfiy  implementation  of 
actions  designated  to  control  all  identified  hazards.  The  audit 
will  consist  of  a review  of  production  drawings,  functional  test 
procedures,  operating,  and  maintenance  instructions  by  the 
System  Safety  Group.  Results  of  the  audit  will  be  included  in 
the  Safety  Statements. 

8.4  GROUND  HANDLING,  STORAGE,  SERVICING  AND  TRANSPORTATION 

The  System  Safety  Program  shall  be  applicable  to  all  phases  of 
System  Ground  Handling. 

Hazards  analyses  shall  include  hazards  encountered  during  these 
ground  operations. 

Life  Raft  System  Equipment  will  be  handled,  stored,  serviced  and 
transported  in  accordance  with  established  survival  equipment 
requirements . 

8.5  SAFETY  TESTING 

Safety  Testing  is  integrated  into  appropriate  test  plans.  The 
tests  will  be  performed  on  critical  components  to  determine  the 
category  of  hazard  and/or  the  margin  of  safety  present  in  the 
design.  The  System  Safety  Input  is  derived  from  the  Operating 
Hazard  Analysis  (OHA) . 

The  detail  test  plans  will  be  structured  to  assure  that  testing 
is  carried  out  in  a safe  manner  and  that  hazards  introduced  by 
testing  procedures,  instrumentation,  or  test  hardware  are  identi- 
fied and  minimized. 
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9.  SUB  CONTRACTOR/VENDOR/SUPPLIER  SYSTEM  SAFETY  PROGRAM  APPLICABILITY 

The  requirements  of  this  plan  apply  to  program  participants  where 
necessary  in  order  to  achieve  SSSP  objectives. 

Subcontractors,  vendors  and  suppliers  will  perform  analyses  as 
necessary  to  identify  hazards  and  describe  corrective  methods 
used  to  control  or  eliminate  such  hazards  as  related  to  their 
specific  products. 

10.  EXPLOSIVES  AND  ORDINANCE 
Not  Applicable. 


11.  SYSTEM  INSTALLATION 

Figure  6 illustrates  the  management  structure  from  which  will  be 
provided  on  the  job  safety  surveillance  during  system  installation 
checkout  and  modification  activities. 
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FIGURE- 6 . SYSTEM  SAFETY  UNIT  MANAGEMENT  STRUCTURE 


